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Termination is an important property of programs; notably required for programs 
formulated in proof assistants. It is a very active subject of research in the 
Turing-complete formalism of term rewriting. Over the years many methods and tools 
have been developed to address the problem of deciding termination for specific 
problems (since it is undecidable in general). Ensuring reliability of those tools is 
therefore an important issue. 

In this paper we present a library formalizing important results of the theory of 
well-founded (rewrite) relations in the proof assistant Coq. We also present its 
application to the automated verification of termination certificates, as produced by 
termination tools. 

The sources are freely available at |http: //color . inria. fr/[ 



1. Introduction 



Rewriting is a general (Turing-complete) yet very simple formalism (TeReSe, 2003) that 



can be used as a programming language ( [Borovansky et ai, 2000 Clavel et al., 2005 ) or in 



which some other programming languages can be easily encoded (in particular logic and 
functional programming languages). Both cases open the way to benefit from techniques 
deve loped for term rewrite systems like termination ([Giesl et ai, 2006[ Nguyen et al., 
2007; |Schneider-Kamp et ai, 2009D or complexity analysis (|Marion7 "20031 Hirokawa & 
Moser, 2008). Term rewriting is also a general tool for deciding the equality of two terms 
in some equational theory ( [Knuth fc Bendix, 1970[ ). 

That is why various authors proposed logical systems where functions and predicates 
can be defined by arbitrary user-defined rewrite rules (instead of inductive definitions 
only), and where the equivalence on types/propositions is enriched with these user-defined 
rules dCoquand, 1992} [Barbanera et ai, 19971 |Dowek et ai, 20031 [Blanqui, 2005] ). This is 
especially important, as enriching the equivalence on types facilitates the use of depen- 
dent types. However, in contrast with the systems where all functions and predicates are 
inductively defined ( |Coquand fc Paulin-Mohring, 19881 [Altenkirch, 1993[|Werner, 1994] ), 
the decidability of type-checking and the logical consistency of the system are not guar- 
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anteed anymore. To ensure these essential properties, the user-defined rules must satisfy 
non-trivial conditions like subject reduction, confiuence, termination or definition com- 
pleteness ( [Coquand, 1992[|Dowek fc Werner, 2003 Blanqui, 2005 Walukiewicz-Chrz^szcz 



fc Chrzqszcz, 2008). Checking such conditions requires the use of complex and thus likely 
to be buggy software, which reduces the overall confidence we may have in such logical 
systems. 

Coq is a proof assistant based on the calculus of inductive constructions (Coquand 
fc Paulin-Mohring, 1988; [Werner, 1994[ ), a very rich typed lambda-calculus with poly- 
morphic and dependent (inductive) types, that includes higher-order logic through the 
propositions- as- types principle ( [Barendregt, 1992| ). For a complete overview of this proof 
assistant, we refer the reader to the Coq reference manual (Coq Development Team, 
2009) and to ( [Bertot fc Casteran, 2004[ ); instead we only mention some of its features: 
functions and predicates can be defined inductively ( [Paulin-Mohring, 1993^ , proof terms 
are obtained by executing scripts ( [Delahaye, 2000[ ), definitions and proof scripts can be 
organized in modules ( [Chrz^szcz, 2003| . 

A rewrite relation is simply a relation on the set of first-order terms generated from a 
given signature that is stable under substitutions and contexts. In general, one considers 
rewrite relations generated from a set of rewrite rules. A rewrite relation is terminating 
(strongly normalizing, well-founded, noetherian) if there is no term starting an infinite 
sequence of rewrite steps. 

In this paper, we present the foundations of a formalization of the theory of well- 



founded first-order rewrite relations (TeReSe, 2003 1 in Coq. There are various motivations 
for this work: 

— verifying correctness of certificates produced by automated termination provers; 

— allowing function definitions with non-structurally recursive calls in proof assistants, 
and the use of external automated termination provers to check their termination; 

— providing an important library of types and functions making an extensive use of 
dependent types. 

We will elaborate on them in the following sections. 



1.1. Verifying correctness of termination certificates 

In the last years, many new techniques and tools have been developed to automatically 
(dis)prove termination of rewrite systems ([Termination Portal! [Termination Competition! 
[Waldmann, 2009"| . These techniques and tools are more and more sophisticated, and use 
external tools like SAT solvers ( [Schneider-Kamp et ai, 2007[ [Fuhs et ai, 2007| . As a 
consequence, it is hard to trust their results and, indeed, every year sees some tools 
disqualified because of errors found in their results. 

Hence, providing a way to automatically verify correctness of termination certificates 
is useful for many applications like automated termination provers and proof assistants. 

1.1.1. Termination certificates. Termination techniques can be divided into two cate- 
gories: the ones that either prove a complete termination problem or fail, and the ones 
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Fig. 1. Certifying termination with CoLoR and Rainbow 



that transform/spht a termination problem into one or more termination problems. 
Hence, a termination proof can be represented by a termination certificate that, roughly 
speaking, is a tree, a node being labelled by a termination problem, the termination 
technique applied at that point and its parameters. 

For instance, a rewrite system can be proved terminating by finding a well-founded 
quasi-ordering on symbols so that, for each rule, the left-hand side is strictly greater than 
the right-hand side in the multiset path ordering (MPO) based on the quasi-ordering on 
symbols ( [Dershowitz, 1982 ). Then, a certificate for this proof can be given by a node 
labelled with the termination problem, the termination technique used (MPO) and its 
parameters (the quasi-ordering on symbols). 

Verifying that a certificate is correct consists of checking that parameters indeed satisfy 
the conditions required by the termination technique and, in case of a transformation 
technique, that the subtrees are labelled by correct termination problems. Checking that 
some parameters satisfy the conditions required by a termination technique should be 
of reasonable complexity (polynomial). Otherwise, the certificate must be refined by 
providing more details on how to check the conditions. In the case of MPO, given a finite 
well-founded quasi-ordering on symbols, one only has to check that each rule is included 
in MPO. 

A common format based on these ideas has been recently developed and used in the 
last termination competition ( [Certification Problem Format, 2010D . 



1.1.2. Our approach. In order to verify such termination certificates with the highest 
confidence possible, we developed the following methodology (see Figure [1]). 

We formalized in a proof assistant (Coq) various termination techniques used in mod- 
ern automated termination provers, together with boolean functions for checking the 
conditions that the parameters must satisfy, and we proved their correctness. This is the 
CoLoR library that we are going to describe in the following sections. 

Then, we wrote a program, called Rainbow, which, given a file containing a certifi- 
cate in the aforementioned format, generates a Coq file containing a formalization of 
the termination problem, a formalization of all the parameters used in the certificate, 
and a short and simple proof script for the theorem stating that the rewrite system is 
(non-)terminating. This script consists of applying the lemmas corresponding to the ter- 
mination techniques used in the certificate, and checking correctness of the parameters 
by testing the equality of the corresponding boolean functions to true (refiexivity proof). 
Coq is then called to check the correctness of this proof script. 
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We tried to keep Rainbow as simple as possible but, nonetheless, Rainbow itself can 
introduce various types of errors: parsing can be wrong or incomplete, and the formal- 
ization of the termination problem, the parameters or the termination proof may be 
wrong. Moreover, some termination proofs may require a lot of computations (for in- 
stance, some proofs use dozens of successive matrix interpretations), and computations 
in Coq are often much less efBcient than in more traditional programming languages. 

To improve this, we started to formalize Rainbow itself in Coq by formalizing the certifi- 
cates themselves, defining boolean functions to check certificate correctness and proving 
that this function itself is correct, that is, that one can indeed build a termination proof 
if th e function returns true. Then, by using Coq extraction mechanism (^ Paulin-Mohring, 
1989; ILetouzey, 2002D , we can get a standalone termination certificate checker. 

1.1.3. Results. In 2009, some experiments showed that Rainbow could successfully check 
up to 701 certificates among 1226 produced by AProVE ( |Giesl et ai, 2006P , that is, 57%. 
In the 2009 termination competition, it could successfully check 399 certificates among 
the 964 generated by the participating provers, that is, 41%. (Rainbow did not participate 
to the 2010 competition held only 6 months after the 2009 competition.) This difference 
is due to the fact that, in the first case, the certificates were produced specifically for 
Rainbow while, in the second case, many certificates were produced for tools handling 
termination techniques not supported by Rainbow. The best tool was CeTA (Sternagel 



& Thiemann, 2009) with 774 certificates successfully checked, that is, ou7o. 

The project started in 2004 and since then the Rainbow program grew to about 6,000 
lines of OCaml code and the CoLoR library to approximately 70,000 lines of Coq, with 
its contents roughly broken down as follows: 

— 12%: basic mathematical theories (relations, semi-rings), 

— 25%: data structures (lists, vectors, multisets, matrices, polynomials), 

— 38%: term structures and rewriting theory, 

— 25%: termination techniques. 

It contains about 1500 definitions (types, predicates or functions), and about 3500 the- 
orems, many of them being of course simple theorems stating introduction/elimination 
rules for the defined notions, or equalities/equivalences used to explicitly rewrite terms 
or propositions in proofs. The library also provides about 185 (simple) tactics (Delahaye, 
2000) that are used in CoLoR or in the termination proof scripts generated by Rainbow. 

Developing libraries of functions and theorems on some data structures or basic math- 
ematical theories is interesting in itself since it can be reused by other people for doing 
other developments. This is the case for CoLoR which has so far been used in a formaliza- 
tion of the Spi calculus ( [Briais, 2008[ ) , a modular development of certified program veri- 



fiers ( Chlipala, 2006 ) and an efficient Coq tactic for deciding Kleene algebras (Braibant 



& Pous, 2010)7 



1.2. Using dependent types 



Another motivation for this work was to make a development heavily using dependent 
types ( [Barendregt, 1992| ). First-order terms with symbols of fixed arity can be naturally 
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formalized using dependent types as we will see in the next sections. However, it is well 
known that, in current proof assistants, dependent types may sometimes be difficult to 
work with, because the equivalence on types is not rich enough. Such developments can 
therefore be used as a benchmark for evaluating proof assistants on the feasibility and 
ease of use of dependent types. Currently, to address this problem, one needs to intro- 
duce auxiliary functions or explicitly apply type casting functions. As already mentioned, 
the use of rewriting or (certified) decision procedures in the equivalence on types, solves 
many of these problems ( [Blanqui, 2005[[Blanqui et al., 2008[|Strub, 2010[ ).This approach 
is adopted in Coq modulo theories (CoqMT) , a new extension of Coq where type equiv- 
alence can be extended by decision procedures such as linear arithmetic ( [Strub, 2010[ ). 



1.3. Outline 

Preliminary overview of CoLoR was given in dBlanqui et al., 2006[ [Koprowski, 2008t 
|Blanqui fc Koprowski, 2009[ ). Detailed descriptions of formalizations of some particular 
termination techniques are presented in prior publications, to which we refer for more 
details: 



polynomial interpretations (Hinderer, 2004) 



— recursive path ordering ( [Coupet-Grimal fc Delobel, 2006[ ), 

— multiset orde ring and higher-order recursive path ordering ([Koprowski, 2006[ Ko- 
prowski, 2008; [Koprowski, 2009D , 

— matrix and arctic interpretations pCoprowski fc Zantema, 2008} Koprowski & Wald- 
mann, 2008; [Koprowski, 2008^ . 

In this paper, we give a detailed presentation of CoLoR's foundations (definitions of 
terms, rewriting, etc.) and of key termination techniques not presented before (depen- 
dency pairs, dependency graph decomposition and reduction pairs). 

The remainder of the paper is organized as follows. 

In Section [21 we discuss related work. 

In Section [3l we present our formalization of the basic notions of rewriting theory: sig- 
natures, terms, contexts, interpretations, substitutions, rules, rewriting and termination. 
We also discuss some of the problems we faced in Coq and how we addressed them. 

In Section[31 we describe the formalization and the proof of the main theorem on depen- 
dency pairs, a key notion of modern automated termination provers. This development 
provides an interesting example of a use of a higher-order, polymorphic and dependent 
program (for computing the cap and aliens of a term). 

In Section [Sj we present the formalization of the dependency graph decomposition, 
another key technique of modern automated termination provers. 

In Section [6l we describe the formalization of the general termination technique based 
on reduction pairs/orderings. A particular instance of this technique is the polynomial 
interpretations over natural numbers described in Section [7| 

In Section [Sj we illustrate our approach by presenting a complete example of automat- 
ically generated Coq script for some simple termination certificate. 
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Finally, Section [9] provides some concluding remarks and presents future directions of 
research. 



2. Related work 

There are two other libraries/tools aiming at verifying termination certificates that par- 
ticipate in the termi nation competition ([Termination Competition! : CiME3 ( E. Conte- 
jean & Urbain, 2009) and CeTA ( [Sternagel et ai, 2010[ ). In addition, pro^oF assistants 
generally have their own termination checkers. 

2.1. CiMES 

CiME3 also produces Coq scripts based on a Coq library called Coccinelle (Contejean, 
2007; [Contejean et ai, 2007[ [Courtieu et ai, 2008[ ). The approach taken in that tool is 
slightly different from ours. In Rainbow, we use a deep embedding: every type of objects 
and every termination technique used in certificates is formalized in CoLoR and can be 
the subject of a mathematical study. In CiMES, this is not always the case: a shallow 
embedding is used for some types of objects and some termination techniques. 

For instance, to formalize a termination problem. Rainbow defines the set of rules 
and uses the definition of rewrite relation generated by a set of rules defined in CoLoR. 
On the other hand, CiMES generates an ad hoc inductive predicate defining the rewrite 
relation. Hence, the Coq scripts generated by CiMES are often longer, less readable and 
take significantly more time to be checked by Coq. 

The main advantage of the shallow embedding approach is the ability to leverage some 
features of the proof assistant to get some work done for free. For instance defining 
polynomials as native functions in the proof assistant (shallow embedding) , instead of as 
a new inductive data- type (deep embedding), forbids us from studying their meta-theory 
but gives us for free the capability to evaluate a polynomial on given values. 

However, because the amount and the complexity of the generated code is more impor- 
tant, we think that this makes CiMES more difficult to develop and maintain. Even more 
importantly, the use of a shallow embedding makes it impossible to develop meta-theory 
and hence generic checkers for termination techniques. Therefore one cannot benefit from 
the Coq extraction mechanism to obtain an independent, certified checker; an approach 
that we plan to incorporate to our toolset in the near future. 

Some notions or techniques can be found in both libraries, but they are often formal- 
ized differently and work with different notions of terms. Indeed, CoLoR and Coccinelle 
do not define terms in the same way (we will come back to this point in the next section). 
However, in CoLoR, we defined a translation of CoLoR terms into Coccinelle terms in or- 
der to reuse some results/functions available in Coccinelle only, like its certified decision 
procedures for matching modulo AC (associativity and commutativity) , unification mod- 
ulo ACU (associativity and commutativity with a neutral element) and the recursive path 
ordering (RPO). Hence, the last version of Rainbow could verify RPO proofs by using 
Coccinelle. The converse translation (of Coccinelle terms to CoLoR terms) should also be 
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possible, although slightly more complicated, as it would have to translate a Coccinelle 
term to an optional CoLoR term, checking term well-formedness in the process. 

2.2. CeTA 

CeTA is a Haskell ([Peyton-Jones, 2003[) program (there is also an OCaml version ^ Leroy 
et ai, 2010)) extracted ( |Berghofer fc Nipkow, 2002[ [Haftmann fc Nipkow, 2010^ from 
a library called IsaFoR dSternagel fc Thiemann, 2009} [Sternagel fc Thiemann, 2010| 
developed in the proof assistant Isabelle/HOL ( [Nipkow et ai, 2002p . Hence, it also uses 
a full deep embedding approach and is naturally faster than CiME3 and the current 
non-extracted version of Rainbow. 

IsaFoR now includes most techniques previously formalized in CoLoR and Coccinelle 
and some new important ones (most notably the subterm criterion and usable rules) 
that greatly increase the number of termination proofs that can be verified. Apart from 
termination techniques, also parsing of termination certificates is formalized in IsaFoR, 
so that extraction gives a complete, stand-alone tool for checking termination proofs. 
IsaFoR is now nearly 40,000 lines of Isabelle/HOL. 

At the moment, CeTA is the best termination certificate verifier: at the time of writing, 
it can successfully verify 1432 certificates over 1536 found by TTT2 ( [Korp et ai, 2009| ) 
on 2132 termination problems, hence it is capable of certifying 93% of TTT2 proofs. 

The main difference between IsaFoR on the one hand, and Coccinelle and CoLoR on 
the other hand, is therefore the language and the axioms used to define objects and 
properties. In IsaFoR, it is a ML-like ( [Harper et ai, 1986| simply typed lambda-calculus 
with (implicitly universally quantified) type variables and inductive predicates, while 
in Coccinelle and CoLoR, the language used is the calculus of inductive constructions 
( [Coquand fc Paulin-Mohring, 1988} [Werner, 1994^ featuring fully polymorphic and de- 
pendent types. Moreover, in IsaFoR, the (higher-order) logic imposed by the system is 
classical, while in Coccinelle and CoLoR it is intuitionistic. It is however possible, and 
sometimes necessary, to use in Coq the excluded middle (we will come back to this point 
later). Hence, in IsaFoR. termination is defined as the absence of infinite sequences of 
rewrite steps, while in Coccinelle and CoLoR, termination is defined as a constructive 
inductive predicate called accessibility (more on that in Section 13.71 . Since most of the 
correctness proofs of termination techniques that one can find in the literature are clas- 
sical, their adaptation to a constructive setting is an interesting endeavour. We leave for 
future work a more detailed comparison of the two approaches. 

2.3. Proof assistants 

Proof assistants such as Coq or Isabelle/HOL include their own automated termination 
provers but these provers are implemented as internal tools working on the internal 
representation of the proof assistant language and, unfortunately, currently can not be 
used outside these proof assistants. 

C oq has its own termination prover developed by Bruno Barras and based on (^ Gimenez, 
1994) that essentially checks that recursive call arguments are "structurally smaller" (Co- 
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quand, 1992) modulo some possible reductions. Coq also provides the Function command 



(Balaa & Bertot, 2000 Barthe et ai, 2006) and the more recent Progrcun extension 



(Sozeau, 2007), both of which allow one to define a function with non-structurally de- 
creasing arguments in recursive calls, provided that one can prove that all recursive call 
arguments are strictly decreasing in some well-founded relation. 

Isabelle/HOL has its own automated termination provers that internally generate Is- 
abelle/HOL termination proofs ( [Bulwahn et ai, 2007[ |Krauss, 2007| . 

Since those embedded termination provers are necessarily limited, proof assistants 
would greatly benefit from the certification of termination proofs allowed by CeTA, 
CiME3 and Rainbow. 



3. Terms and rewrite relations 

In this section, we explain how terms and rewriting concepts are formalized in CoLoR. 
We encourage the reader to consult the actual sources of CoLoR for a more in-depth 
understanding of the presented notions. The sources are available for download and for 
online browsing (with proofs omitted) at: 

[http : / / color . inria . frj 

CoLoR provides various notions of terms: strings, first-order terms with symbols of 
fixed arity (simply called algebraic in the following), first-order terms with varyadic 
symbols (a varyadic symbol can be applied to any number of arguments; this is often 
used when a symbol is associative and commutative), and simply typed lambda terms 
( [Koprowski, 2009"] ). The files about strings are prefixed by S, those about varyadic terms 
are prefixed by V, and those about algebraic terms are prefixed by A. 

In this paper, we will only consider algebraic terms (directory Term/WithArity). 



3.1. Signatures 

Algebraic terms are inductively defined from a signature (module ASignature defined 
in file ASignature . v) defining the set of symbols, the arity of each symbol, a boolean 
function saying if two symbols are equal or not, and a proof that this function is correct 
and complete wrt Coq default (Leibniz) equality predicate: 

Record Signature : Type := mkSignature { 
symbol :> Type; 
arity : symbol -> nat; 
beq_symb : symbol -> symbol -> bool; 

beq_symb_ok : forall x y, beq_symb x y = true <-> x = y }. 

Note that we declare the record field selection function symbol: Signature -> Type 
as an implicit coercion (keyword : >) ( jSai'bi, 1997^ so that a signature can always be given 
as argument to a function waiting for a Type, the Coq system adding the necessary calls 
to symbol wherever necessary. 

Another solution would be to make symbol a parameter of a signature. It would add 
yet another argument to functions and lemmas using a signature, but this argument can 



CoLoR: a Coq library on well-founded rewrite relations 



9 



be inferred by the Coq system and the extracted OCaml code would be cleaner and easier 
to use (no Obj .magic). It would also allow us to use the new Coq feature of type classes 
( Sozeau, 2008 1 . We leave for future work such an experimentation. 

At the beginning, we were using a single lemma stating the decidability of equality on 
the set of symbols: 

eq_dec: forall x y, ■[x=y}+-[~x=y}, 

where {A} + {B} is the standard Coq notation for disjunction between A and B (the 
difference with the disjunction notation A \/ B having to do with extraction). Separating 
into a computational function (beq_syinb) and a proof of its correctness (beq_symb_ok), 
as used, for instance, in the Ssreflect library ( [Gonthier fc Mahboubi, 2009[ ), improved the 
time spent by Coq for checking scripts generated by Rainbow by 9% on average. This can 
be explained by the fact that terms are smaller and fewer conversion tests are required. 



3.2. Vectors and equality 

For defining terms, we use the Coq module Bvectoi[t] of the standard library which defines 
the type of vectors (also called arrays or dependent lists) with elements of type A: 

Inductive vector : nat -> Type := 
I Vnil : vector 

I Vcons : forall (a:A) (n:nat), vector n -> vector (S n) . 

But the Coq standard library provides almost no functions and theorems about vectors. 
We therefore had to develop an important library on vectors (directory Util/Vector and, 
in particular, the module VecUtil). To our knowledge, this is the most developed library 
on vectors (more than 3,000 lines of Coq). 

A simple yet important function that we need sometimes to use for fulfilling some type 
constraints is the following explicit type casting function which, given a vector of size m 
(vec is an abbreviation for vector A) and a proof that m=n, returns a vector of size n: 
Fixpoint Vcast m (v : vec m) n (mn : m = n) : vec n := ... 

This function is of course nothing but the identity from a computational point of view, 
but it allows one to see a vector of size m as a vector of size n whenever m and n are 
provably equal. It is currently defined as a recursive function breaking up and building 
back the vector. But it is also possible to define it as the identity (experimentation done 
by Pierre- Yves Strub but not integrated in CoLoR yet). It is needed in some theorems 
which would not be typable otherwise, such as: 

Lemma Vapp_iiil : forall n (v : vec n) (w : vec 0) , 
Vapp v w = Vcast v (plus_n_0 n) . 

since Vapp v w is of type n+0 which is not computationally but only inductively equiv- 
alent to n, because the addition is defined by induction on its first argument. Indeed, in 
Coq, equality is defined as follows: 

Inductive eq (A: Type) (x:A) : A -> Prop := refl_equal : eq A x x. 

t The "B" is there for historical reasons, as this library started as a library of vectors over booleans. 
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It is possible to avoid these explicit casts by instead using Conor McBride's inductive 
definition of equality ( [McBride, 1999 1 which, to some extent, allows both members of 
the equality to have distinct types: 

Inductive JMeq (A: Type) (x:A) : forall B:Type, B -> Prop := JMeq_refl : JMeq x x. 

But, for eliminating such an equality, both types must be computationally equiva- 
lent. So, we prefered to stick with the standard equality of Coq, especially since tactics 
available in Coq are better suited for reasoning about it. 

Note also that, in some cases, we need to use the identity of equality proofs (forall 
hi h2 : n=iii, hi = h2) dStreicher, 19931 ). Since the equalities that we consider are on the 
set nat of natural numbers on which equality is decidable, this property can be proved 
and no axiom is required. 

We could perhaps benefit from a recent library of lemmas and tactics to reason on 
heterogeneous equalities ( |Hur, 20W| ). But we will prefer to use an extension of Coq 
incorporating rewriting or decision procedures in the equivalence of types ( [Blanqui, 2005[ 
[Blanqui et ai, 2008[ |Strub, 2010| . Some recent experiments show that, with CoqMT 
dStrub, 2010) , all casts can be removedj. 



3.3. Terms 

Given a signature Sig, we can define the type of algebraic terms (module ATerm): 

Notation variable := nat (only parsing). 
Inductive term : Type := 
I Var : variable -> term 

I Fun : forall f : Sig, vector term (arity f) -> term. 

Note that variables are represented by natural numbers. It is sufficient and simpler 
than using an arbitrary type because such a type needs to be equipped with functions 
and properties for, say, defining the renaming of a term away from some finite set of 
variables. By using natural numbers, we directly benefit from all the functions, properties 
and tactics available on natural numbers. 

Thanks to the strong type system of Coq, every expression of type term corresponds 
to an algebraic term in the mathematical sense: a symbol cannot be applied to a number 
of terms distinct from its arity. 

Another solution would be, like it is the case in Coccinelle, to define terms as varyadic 
terms, together with a function for checking the well-formedness of a term that one would 
use whenever it is necessary: 

Inductive term : Type := 

I Var : variable -> term 

I Term : symbol -> list term -> term. 
Fixpoint well_formed (t:term) : bool := ... 

The advantage is that various termination criteria defined in the literature for algebraic 
terms are in fact also valid for varyadic terms. However, when one needs to reason on 



■f See |http: //git ■ strub.nu/git/coqmt /tree/test- suite/dp/dlist . v| 
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well-formed terms, it is much more convenient to use an inductive definition that provides 
these conditions for free. We will see such an example with polynomial interpretations 
(Section [7]) which is a technique that naturally requires well-formed terms, since every 
symbol of arity n must be associated to a polynomial with n variables. 

Since algebraic terms can easily be translated into varyadic terms, every termination 
criterion developed for varyadic terms can be easily applied on algebraic terms. Hence, 
by using a translation from CoLoR algebraic terms to Coccinelle varyadic terms (module 
Coccinelle), we could enable Rainbow to verify certificates for RPO by reusing the 
efficient decision procedure for RPO developed in Coccinelle. 

It is certainly possible to define a translation the other way around and, for CiME3, to 
reuse results formalized in CoLoR on algebraic terms. As remarked before, such a trans- 
lation would transform a Coccinelle term into an optional CoLoR term, while checking 
term well-formedness along the way. 

3.3.1. Remarks on recursive definitions in Coq. The induction principle automatically 
generated by Coq for the type term is too weak since vector term (arity f ) or list 
term are not seen as recursive arguments. We therefore need to redefine it by hand. 

Because of the limitation of Coq termination checker, it is not possible to define the 
induction principle (and many other functions on terms) with two mutually recursive 
definitions, one on terms and another one on vectors of terms, as follows (HI, H2, ... are 
the induction hypotheses): 
Fixpoint term_rect t : P t := 

match t as t return P t with 
I Var X => HI X 

I Fun f V => H2 f (terms_rect (arity f) v) 
end 

with terms_rect n (v : terms n) : Q v := 
match V as V return Q v with 
I Vnil => H3 

I Vcons t' n' v' => H4 (term_rect t') (terms_rect n' v') 
end. 

Instead, we have to use a nested fixpoint: 
Fixpoint term_rect t : P t := 
match t as t return P t with 
I Var X => HI X 
I Fun f V => 

let fix terms_rect n (v : terms n) : Q v := 
match V as V return Q v with 
I Vnil => H3 

I Vcons t' n' v' => H4 (term_rect t') (terms_rect n' v') 
end in H2 f (terms_rect (arity f) v) 

end. 

Since inner fixpoints are anonymous, we need to duplicate its definition to give it a 
name and prove that both expressions are indeed equal. Finally, another disadvantage is 
that definition unfolding creates big terms. 
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3.4. Contexts 

Contexts are defined as terms with a unique hole in a similar way (module AContext): 

Notation terms := (vector term). 
Inductive context : Type := 
I Hole : context 

I Cont : f orall (f : Sig) (i j : nat) , i + S j = arity f -> 
terms i -> context -> terms j -> context. 
Fixpoint fill (c : context) (t : term) : term := ... 

Thanks to the use of dependent types, contexts are well-formed by construction and 
replacing a hole by some term always leads to a well-formed term. 

As the reader may already have remarked in the previous declarations which are di- 
rectly taken from the CoLoR files, Coq offers a mechanism for automatically inferring, 
to some extent, the missing arguments and types. This is a very important feature, es- 
pecially with polymorphic and dependent types, that are heavily used in CoLoR. For 
instance, for a context, it is sufficient to write (Cont h ti c tj) where h is of type 
i+Sj=arity f. Then, Coq can infer that this is in fact (Cont Sig f i j h ti c tj). 

3.5. Interpretations and substitutions 

We now come to the interpretation of terms into some non-empty domain D given an 
interpretation function // : Z?" D for each function symbol / of arity n (module 
AInterpretation). This gives D a structure of a E-algebra where S is the signature. 

Definition naryFunction A B n := vector An -> B. 
Definition naryFunctionl A := naryFunction A A. 
Record interpretation : Type := mklnterpretation { 

domain : > Type ; 

some_elt : domain; 

fint : f orall f : Sig, naryFunctionl domain (arity f) }. 

where domain is the domain D and fint corresponds to the family of functions If. Given 
a valuation p : X ^ D for the variables of t (valuation), the interpretation of a term t, 
written \t\p (term_int t valuation), is the recursive application of the interpretation 
functions If: 

Variable I : interpretation. 

Definition valuation := variable -> (domain I) . 
Variable xint : valuation. 
Fixpoint term_int t := 
match t with 

I Var X => xint x 

I Fun f ts => fint I f (Vmap term_int ts) 
end. 

A substitution is then nothing but an interpretation on the domain of terms by taking 

If{tl,. . . ,t„) = f{ti, . . . ,tn). 
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Definition 10 := mklnterpretation (Var 0) (OFun Sig) . 
Definition substitution := valuation 10. 

Definition sub : substitution -> term -> term := @term_int Sig 10. 

Interpretations play an important role in termination. Indeed, given an interpretation 
/ and a relation > on the domain Z? of /, the relation >/ on terms such that t >i u 
if \t\p > for all valuation p : X ^ D for the variables of t and u, is well-founded 
when > is well-founded (Manna & Ness, 19701. The relation >/ is always stable under 
substitutions and it is stable under contexts if the functions If are monotone wrt > 
in every argument (module AWFMInterpretation). We will come back to this point in 
Section HI 

Before that, we define some basic properties of relations on terms (module ARelation): 
Definition preserve_vars := forall t u, R t u -> incl (vars u) (vars t) . 
Definition substitution_closed := 

forall tl t2 s, R tl t2 -> R (sub s tl) (sub s t2) . 
Definition context_closed := 

forall tl t2 c, R tl t2 -> R (fill c tl) (fill c t2) . 
Definition rewrite_ordering := substitution_closed /\ context_closed. 

where vars is the set of variables of a term (module AVariables), modeled using FSets: 
the standard finite sets library of Coq. 



3.6. Rewriting 

Having defined the notions of context and substitutions, we can now define rewriting 
(module ATrs). Rewrite relations are defined from sets of rules, a rule simply being a 
pair of terms: 

Record rule : Type := mkRule { Ihs : term; rhs : term }. 

For a system to terminate, it is necessary that the left-hand side is not a variable 
and that all the variables occurring in the right-hand side also occur in the left hand- 
side. These conditions are not required at this stage but will be part of the termination 
conditions to check. 

The standard rewrite relation generated from a list R of rewrite rules is then defined 
as follows: 

Definition red u v := exists Ires, 

In (mkRule 1 r) R /\ u = fill c (sub si) /\ v = fill c (sub s r) . 

We have red : term -> term -> Prop, so red is a relation on terms. We have a 
reduction step red u v, usually written as u — v, whenever there exist a term a 
term r, a context C and a substitution a such that I ^ r Q R, u = C[la] and v = C[ra]. 

The transformations done by modern termination techniques in fact lead to more 
complex relations. First, rewriting can occur at the top of a term only or, conversely, 
never at the top: 

Definition hd_red u v := exists Irs, 

In (mkRule 1 r) R /\ u = sub s 1 /\ v = sub s r. 
Definition int_red u v := exists Ires, cOHole /\ 

In (mkRule 1 r) R /\ u = fill c (sub si) /\ v = fill c (sub s r) . 



F. Blanqui and A. Koprowski 



14 



And one may consider (top) rewriting modulo some other relation: 

Definition red_mod := red E # (§ red R. 
Definition hd_red_Mod := S @ hd_red R. 
Definition hd_red_mod := red E # (§ hd_red R. 

where denotes the composition of two relations, and # the reflexive and transitive 
closure of a relation (module RelUtil). 

3.7. Termination 

We now come to the definition of termination itself. In the introduction, we defined it as 
the absence of infinite rewrite sequences (chains), as it is often defined in the literature. 

An alternative definition is based on the notion of well-foundedness: a relation R is 
well-founded on a class X if every non-empty subset of X has a minimal element with 
respect to R. 

The two definitions are equivalent in classical logic under the Axiom of Choice. 

The interesting aspect of the second definition is that it provides an induction principle 
that is a particular case of transfinite induction: given a relation S that is well-founded on 
X, a property P holds for all the elements of X if, for all x,y G X, P{x) holds whenever 
P{y) holds for all y such that ySx. 

Such a generic induction principle, with P as a parameter, is defined in the Coq 
standard library (module Wellfounded). Because its use requires to write rewrite steps 
the other way around {y x instead of x -^r y) , in CoLoR, as it is traditional in 
rewriting theory, we prefer to use the following dual definition (module SN): 

Inductive SN x : Prop := SN_intro : (forall y, R x y -> SN y) -> SN x. 
Definition WF := forall x, SN x. 

However, we provide lemmas to go from the CoLoR representation to the Coq repre- 
sentation: 

Lemma WF_transp_wf : WF (transp R) -> well_founded R. 
Lemma wf_transp_WF : well_founded (transp R) -> WF R. 

where transp is a transposition of a relation: trsinsp R x y = R y x. 

Well-founded relations can also be used to define functions recursively. In Coq, the well- 
foundedness proof itself can be used as an extra-argument to make explicit the decrease 
of the arguments in the recursive calls. 

Hence, CoLoR can also be seen as a toolbox for defining functions by well-founded 
induction and proving the totality of such functions. Indeed, CoLoR provides various 
results on the theory of arbitrary (well-founded) relations (and not only rewrite relations) 
like, for instance, the multiset extension of a relation (directory Util/Multiset) and 
some general results on the union and composition of well-founded relations (directory 
Util/Relation). 

Finally, we formalized the relations between the two definitions of termination. 
When a relation is finitely branching (the set of successors is always finite, although not 
necessarily bounded), we proved that the existence of an infinite chain implies that the 
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relation is not well-founded (module IS_NotSN). Proving this implication for non-finitely- 
brancliing relations would require to develop some general theory of ordinals. However, we 
proved that a rewrite relation generated from a set of rules is finitely branching whenever 
the set of rules is finite (module AReduct). 

For proving the converse, that is, that there is an infinite chain if the relation is not 
well-founded (module NotSN_IS), as already mentioned, we need to use the Axiom of 
Excluded Middle and the Axiom of (Dependent) Choice: 

Definition IS R f := forall i , R (f i) (f (S i) ) . 
Definition classic_lef t_total R := forall x, exists y, R x y. 
Axiom dep_choice : forall (B : Type) (b : B) (R : relation B) , 
classic_lef t_total R -> exists f, IS R f. 

where IS stands for infinite-sequence and expresses that there is an infinite reduction 
in R. The dep_choice axiom is a consequence of a more general choice axiom (c/. 
DepChoicePrf in CoLoR and ClassicalChoice in Coq standard library). 

4. Dependency pairs 

In this section, we explain the formalization and proof of a key notion of modern ter- 
mination techniq ues: the notion of dependency pairs ([Arts fc Giesl, 2000[ Hirokawa & 
Middeldorp, 2005'; |Giesl et aZ., 2006D . 

We call a function symbol / defined if there is a rule which left-hand side is headed 
by /; otherwise it is a constructor. Further denote by (resp. ^ ) rewriting at the top 
(resp. below the top); defined in Coq as hd_red (resp. int_red). 

Let i? be a set of rewrite rules, and assume that the rewrite relation generated by 
R does not terminate. Let Too be the (non-empty) set of non-terminating terms whose 
subterms are all terminating. Then, for all t € Too, there is a rule I ^ r € R and a 
subt erm s of r headed by a defined symbol that is not a strict subterm of I ^ Dershowitz, 
2004), and such that t la ra > sa G Too- 

The pairs / s such that I ^ r E R and s is a subterm of r headed by a defined 
symbol that is not a strict subterm of I are called the dependency pairs of i?, and the 
relation ^ *^ (relation composition is written by juxtaposition) is called a chain 
(module ADP): 

Fixpoint mkdp (S : rules) : rules := 
match S with 
I nil => nil 

I a : : S' => let (l,r) := a in 
map (mkRule 1) (filter (negb_subterm 1) (calls R r)) ++ mkdp S' 

end. 

Definition dp := mkdp R. 

Definition chain := int_red R # (§ hd_red dp. 

where ++ (concatenation), map and filter are usual functions of the Coq standard library 
on lists, negb_subterm 1 says if a term is not a subterm of 1 (negb standing for negation 
on the bool type, as opposed to not on Prop), and calls R r gives the list of subterms 
of r which are headed by a symbol defined by a rule of R. 
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In the literature, dependency pairs are generally expressed in the extended signature 
S^SUj/" |/sE}by replacing in both sides of a dependency pair the top symbol 
by their version. As a consequence, ^ ^ can be replaced by — ^ since no rule of R can 
be applied at the top of a term of the form /"(ti, . . . This transformation is also 
formalized in CoLoR in the module ADuplicateSymb. 

Then, the main theorem of dependency pairs says (module ADP): 

Variable hypl : forallb ((§is_notvar_lhs Sig) R = true. 
Variable hyp2 : rules_preserve_vars R. 
Lemma WF_chain : WF chain -> WF (red R) . 

As just explained, the classical proof consists of assuming an infinite sequence of R 
steps and showing that one can build an infinite sequence of chain steps. But a di- 
rect constructive proof can be given by well-founded induction on chain. As shown in 
( [Blanqui, 2006D , the proof technique is the same as the one based on Tait and Girard 
computability/reducibility predicates ( [Girard et al., 1988D for proving the termination 
of /3-reduction, the correctness of the notion of computability closure ( [Blanqui, 2007[ ), or 
the termination of the higher-order recursive path ordering ( [Jouannaud fc Rubio, 1999[ ). 

First, we proceed by well-founded induction on chain. Second, we prove that every 
term t terminates by induction on t and well-founded induction on the terminating 
subterms oft. If t is a variable, then it follows from the assumption hypl that no rule left- 
hand side is a variable (module ASN). Otherwise, by definition of termination, it suffices 
to prove that every reduct of t terminates. If the reduction does not occur at the top, 
then the conclusion follows from the induction hypotheses. Otherwise, there is a rule 
I — > r and a substitution a such that t = la and the reduct is ra. Then, we can conclude 
by proving the following two lemmas: 

1 Every subterm of ra headed by a defined symbol terminates, either because it is a 
strict subterm of /cr, or because it is a chain reduct. In both cases, we can conclude 
by induction hypothesis. 

2 We have ra = s9 where s is the constructor term obtained from ra by replacing sub- 
terms headed by a defined symbol by distinct fresh variables, and 6 is the substitution 
mapping each one of these fresh variables to the corresponding subterms. Then, one 
can prove that, for all constructor terms s and terminating substitutions 9 {i.e. x9 
terminates for all x), s9 terminates (module ASN). 

The term s is generally called the (constructor) cap of ra, and the substitution 9 the 
corresponding alien substitution of t. The cap and the alien substitution are unique up to 
the renaming of fresh variables used in the cap. The definitions of cap and aliens provide 
a nice example of higher-order, dependent and polymorphic function (module ACap). It 
uses an auxiliary function capa which, for every term t, computes an element of type: 
Definition Cap := { k : nat & (terms k -> term) * terms k ]-. 
which is a dependent triple (fc, /, v) where: 

— fc is the number of aliens of t (function nb_aliens), 

— / is a function which, given a vector x of k terms, returns the cap with the i-th alien 
replaced by the i-th term of x (function f cap), 

— V is the vector of the fc aliens of t (function aliens). 
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The function capa is then defined as follows: 

Fixpoint capa (t : term) : Cap := 
match t with 

I Var X => mkCap (fun _ => t , Vnil) 
I Fun f ts => 

if defined f R then 

mkCap (fun v => Vnth v (lt_D_Sn 0) , Vcons t Vnil) 
else 

let cs := Vmap capa ts in 

mkCap (fun v => Fun f (Vmap_sum cs v) , cone cs) 

end. 

where mkCap is a function to construct term of type Cap, lt_0_Sn is a proof that < S n 
for arbitrary n and cone concatenates all the aliens of a vector of caps: 

Fixpoint cone n (cs : Caps n) : terms (sum cs) := 
match cs as cs return terms (sum cs) with 
I Vnil => Vnil 

I Vcons c _ cs' => Vapp (aliens c) (cone cs') 
end. 

and, given a vector cs of caps and a vector v of (sum cs) terms, Vmap_sum breaks v in 
vectors which sizes are the numbers of aliens of every cap of cs, applies every f cap to 
the corresponding vector, and concatenates all the results: 

Fixpoint Vmap_sum n (cs : Caps n) : terms (sum cs) -> terms n := 
match cs as cs in vector _ n return terms (sum cs) -> terms n with 
I Vnil => fun _ => Vnil 
I Vcons c _ cs' => fun ts => 

let (hd.tl) := Vbreak ts in Vcons (fcap c hd) (Vmap_sum cs' tl) 

end. 

Finally, the cap and aliens are obtained as follows: 

Definition cap t := match capa t with exists n (f,_) => f (fresh_for t n) end. 
Definition alien_sub t := fsub (maxvar t) (aliens (capa t)). 

where exists x P is the single constructor of the subset type behind the notation 
{x I P}, f resh_f or t n is a vector of n variables fresh for t and fsub xO n v is the 
substitution {a;o + 1 wi, . . . , + n ^ 

5. Dependency graph decomposition 

The next major result of the dependency pair framework is based on the analysis of the 
possible sequences of function calls. This is accomplished by means of an analysis of the 
so-called dependency graph, Q{R). The dependency graph is the graph where nodes are 
the dependency pairs of R and edges are given by the relation ^|j: there is an edge from 
li — > si to I2 ^ S2 if sici^lj ^2C2 for some substitutions ui and cf2- Then, the relation 

terminates if, for every strongly connected component C of G{R), 
terminates ( |Giesl et ai, 2002| ). This important result allows one to split a termination 
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problem into simpler ones that can be dealt with independently (and in parallel) using 
different techniques. 

In CoLoR, G{R) is formalized as an instance, taking (int_red R#) for S, and (dp R) 
for D, of the following relation hd_rules_graphon rules, where shift p is the substitution 
mapping a variable x to the variable x+p (using a shift and a substitution is equivalent 
and no more difficult than using two substitutions): 

Variable S : relation term. 
Variable D : rules. 

Definition hd_rules_graph al a2 := In al D /\ In a2 D 

/\ exists p, exists s, S (sub s (rhs al)) (sub s (shift p (Ihs a2))). 

However, the graph G{R) is generally not decidable. To address this problem, various 
decidable over-approximations have been introduced. The most common one is based on 
unification (module AUnif): there is an edge from li — > si to I2 S2 if RENCAp(si) and 
I2 are unifiable, where rencap(si) (module ARenCap) is like the cap of si defined in the 
previous section but with variables considered as aliens too and alien subterms replaced 



by fresh variables not occurring in I2 (Arts & Giesl, 2000). Note that, by definition of the 



cap, two occurrences of the same alien subterm are replaced by distinct fresh variables. 
Hence, rencap(si) is linear and its variables are distinct from those of ^2- The Coq 
formalization (module ADPUnif ) is as follows (<< is the notation for relation inclusion): 

Variables R D : rules. 

Definition connectable u v := unifiable (ren_cap R (S (maxvar v) ) u) v. 
Definition dpg_unif (rl r2 : rule) := 

In rl D /\ In r2 D /\ connectable (rhs rl) (Ihs r2) . 
Lemma dpg_unif _correct : hd_rules_graph (red R #) D « dpg_unif . 

Now, to avoid the computation inside Coq of the strongly connected components of 
the chosen over-approximation of Q{R) (represented hereafter by a boolean function 
approx) and of their topological ordering, and also to allow the user to deal with various 
components at the same time, we introduce a notion of valid decomposition of the set of 
dependency pairs: 

Variable approx : rule -> rule -> bool. 
Notation decomp := (list rules). 
Fixpoint valid_decomp (cs : decomp) : bool := 
match cs with 
I nil => true 

I ci :: cs' => valid_decomp cs' && 
forallb (fun b => 
forallb (fun cj => 

forallb (fun c => negb (approx b c)) cj) 
cs') 

ci 

end. 

A decomposition (ci, . . . , c„) (the order is important) is valid if for all i, for every rule 
6 in Ci, for all j > i, and for every rule c in Cj, there is no edge from b to c. Hence, we 
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can proceed by induction on the size n of the decomposition to prove the decomposition 
theorem under the following assumptions (module ADecomp): 

Definition Graph x y := approx x y = true. 

Variable approx_correct : hd_rules_graph S D << Graph. 

Lemma WF_decomp : 

forall (hypD : rules_preserve_vars D) (cs : decomp) (hypl : incl D (flat cs)) 
(hyp2 : incl (flat cs) D) (hyp3 : valid_decomp cs = true) 
(hyp4 : Iforall (fun ci => WF (hd_red_Mod S ci)) cs) , 
WF (hd_red_Mod S D) . 

Indeed, if Ri and R2 are two terminating relations, then i?i U R2 terminates whenever 
R1R2 C R2R1 (module Union), which is trivially the case here since R1R2 is empty 
(there is no edge from Ci to Cj if j > i). 

6. Reduction pairs 

A general termination technique consists of checking that every rule is included in some 
reduction ordering, i.e. a well-founded rewrite relation, like, for instance, the recursive 
path ordering ( [Dershowitz, 1982| ) (module AMcinnaNess): 

Variables (R : rules) (succ : relation term) . 
Definition reduction_ordering := WF R /\ rewrite_ordering R. 
Definition compat := forall 1 r : term, In (mkRule 1 r) R -> succ 1 r. 
Lemma manna_ness : reduction_ordering succ -> compat -> WF (red R) . 

This basic result can be extended to (top) rewriting modulo by using (weak) reduction 
pairs ( [Kusakari et ai, 1999P , that is, pairs of relations (>-,>r) closed by substitution 
such that >- is well-founded, h ■ ^ Q >- and >z (and are closed by context (module 
ARelation): 

Definition absorb A (R S : relation A) := S (§ R « R. 
Record Weak_reduction_pair : Type := mkWeak_reduction_pair { 

wp_succ : relation term; 

wp_succ_eq : relation term; 

wp_subs : substitution_closed wp_succ; 

wp_subs_eq : substitution_closed wp_succ_eq; 

wp_cont_eq : context_closed wp_succ_eq; 

wp_absorb : absorb wp_succ wp_succ_eq; 

wp_succ_wf : WF wp_succ }. 
Lemma manna_ness_hd_mod : forall wp : Weak_reduction_pair Sig, 

compat (wp_succ_eq wp) E -> compat (wp_succ wp) R -> WF (hd_red_mod E R) . 

More generally, if all rules are included in >^ , then all rules included in >- can be removed 
( [Endrullis et ai, 2008[ ). Reduction pairs can therefore be used to simplify termination 
problems. This is formalized in CoLoR by a functor ( [Chrz^szcz, 2003[ ) taking as argument 
boolean functions representing some decidable under- approximations of the relations >- 
and y (module ARedPair): 

Module Type WeakRedPair . 

Parameter Sig : Signature. Notation term := (@term Sig). 
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Parameter succ : relation term. 
Parameter wf_succ : WF succ. 

Parameter sc_succ : substitution_closed succ. 
Parameter bsucc : term -> term -> bool. 
Parameter bsucc_sub : rel bsucc « succ. 

End WeakRedPair . 

Module WeakRedPairProps (Import WP : WeakRedPair) . 

Notation rule := (rule Sig) . Notation rules := (rules Sig) . 
Definition wp := mkWeak_reduction_pair 

sc_succ sc_succeq cc_succeq succ_succeq_compat wf_succ. 
Lemma WF_wp_hd_red_mod : forall E R, 
forallb (brule bsucceq) E = true -> 
forallb (brule bsucceq) R = true -> 
WF (hd_red_mod E (filter (brule (neg bsucc)) R) ) -> 
WF (hd_red_mod E R) . 
End WeakRedPairProps . 

This functor also provides high-level tactics ( [Delahaye, 2000[ ) for applying its lemmas 
and automatically checking their conditions: 

Ltac check_eq := vm_compute; refl. 

Ltac do_prove_termination prove_cc_succ lemma := apply lemma; 
match goal with 

I I - context_closed _ => prove_cc_succ 
I I- WF _ => idtac 

I !-_ = _=> check_eq I I fail "some rule is not in the ordering" 
end. 

Ltac prove_termination prove_cc_succ := 

let prove := do_prove_termination prove_cc_succ in 
match goal with 

I I - WF (red _) => prove WF_rp_red 

I I - WF (red_mod _ _) => prove WF_rp_red_mod 

I I - WF (hd_red_mod _ _) => prove WF_wp_hd_red_mod . . . 

end. 

The first tactic tries to prove a goal of the form _ = _ by first reducing each side of the 
equality to their normal form using Coq efficient normalization procedure vm_compute 
( [Gregoire fc Leroy, 2002[ ), and then by checking the syntactic equality of the resulting 
terms. 

The second tactic takes as argument another tactic prove_cc_succ for checking that 
succ is closed by context, and the termination lemma to use. The generated subgoals of 
the form WF _ are left unchanged (idtac), and the generated subgoals of the form _ = _ 
are proved by using the first tactic. 

Finally, the third tactic takes prove_cc_succ as argument and, depending on the 
form of the goal, calls the second tactic with the appropriate termination lemma {e.g. 
WF_wp_hd_red_mod for a relative top termination problem) . 
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There are various ways to build reduction orderings/pairs. As already mentioned in 
Section [3.51 interpretation in some well-founded domain is a popular one (Manna & Ness, 
1970). 

Indeed, an interpretation I and a relation R on the domain of I provide a relation 
on terms by universally quantifying on all possible interpretations of variables (module 
AWFMInt erpr et at ion) : 
Definition IR : relation term := 

fun t u => forall xint , R (term_int xint t) (term_int xint u) . 

Many properties satisfied by R are also satisfied by IR, in particular well-foundedness. 
Moreover, IR is closed by substitution. However, for IR to be closed by context, the 
interpretation of each symbol needs to be monotone wrt R: 
Definition monotone := forall f, Vmonotonel (fint I f) R. 
Lemma IR_reduction_ordering : monotone -> WF R -> reduction_ordering IR. 

Based on the notions of a reduction pair and of interpretation into some well-founded 
domain, a generic module (AMonAlg) of (extended) monotone algebras is defined, fol- 
lowing the presentation of ( [Endrullis et ai, 2008[ ), with support for total, relative and 
relative-top termination. 

7. Polynomial interpretations 

In this section, we present a formalization of a widely used class of interpretations on the 
well-founded domain of natural numbers: polynomial interpretations ( [Lankford, 1979] 
|Contejean et ai, 2005p . 

Our current formalization of integer polynomials (module Polynom) is simple, but 
sufficient for our purpose since polynomials used in termination proofs are often small 
(degree and coefficients are often bounded by small constants like 1 or 2). 

The type of polynomials depends on the maximum number n of variables. A polynomial 
is represented by a list of pairs made of an integer and a monomial, a monomial being a 
vector of size n made of the powers of each variable: 
Notation monom := (vector nat) . 
Definition poly n := list (Z * monom n) . 

For instance, if n = 2 and the variables are denoted by xi, . . . , a;„, then the monomial 
xfx2 is represented by the vector (3, 1). 

This representation is not canonical: a polynomial can be represented in various ways. 
It is however easy to compute the coefficient of a monomial: 
Fixpoint coef n (m : monom n) (p : poly n) : Z := 
match p with 
I nil => 
I cons (c,m') p' => 
match monom_eq_dec m m' with 
I left _ => c + coef m p' 
I right _ => coef m p' 
end 

end. 
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The module Polynom then provides basic operations on polynomials: addition, subtrac- 
tion, multiplication, power, composition and evaluation to an integer (Z) given values for 
variables. 

Now, a polynomial interpretation consists of associating to every function symbol of 
arity n, an integer polynomial with n variables (module APolyInt). 

Definition Polylnterpretation := forall f : Sig, poly (arity f ) . 

Then, every term with n variables can be interpreted by an integer polynomial with 
n variables, by recursively composing the polynomials interpreting the function symbols 
occurring in the term. However, to define this polynomial, we need to know the number of 
variables in advance. To this end, we use an intermediate representation for terms where 
variables (which are represented by natural numbers) are bounded (module ABterm): 

Variable k : nat . 
Inductive bterm : Type := 

I BVar : forall x : nat, x<=k -> bterm 

I BFun : forall f : Sig, vector bterm (arity f) -> bterm. 
Fixpoint inject_term (t : term) : maxvar_le k t -> bterm := ... 
Variable PI : Polylnterpretation. 

Fixpoint termpoly k (t : bterm k) : poly (S k) := 
match t with 

I BVar X H => (.(1)7,2, mxi (gt_le_S (le_lt_n_Sm H))) :: nil 
I BFun f V => pcomp (PI f) (Vmap (Otermpoly k) v) 
end. 

where mxi H is the monomial Xi if iJ is a proof of i < rt. 

Now, for proving termination of some rewrite system, the polynomial interpretation 
must satisfy two conditions: 

— polynomials must be monotone in each variable; 

— for every rule I r, the interpretation of I (polynomial P/), must be strictly bigger 
than the interpretation of r (polynomial P,.), for all evaluations of variables in N. 

The latter problem corresponds directly to the positiveness test for the polynomial 
P; — Pf. — 1 > 0, which is undecidable in general. We follow the usual approach taken 
in most termination provers and use absolute positiveness check for that purpose i.e. , a 
poly nomial is absolutely positive if all its coefficients are non-negative (^ Contejean et ai, 
2005). 

We also use a simple test for (strict) monotonicity, by testing that each monomial Xi 
is (strictly) positive. However, we plan to implement more general conditions, especially 
for polynomials of degree two. 

Program Definition rulePoly_ge rule := 
let 1 : = Ihs rule in 
let r := rhs rule in 

let m := max (maxvar 1) (maxvar r) in 

termpoly (@inject_term _ m 1 _) - termpoly ((§inject_term _ m r _) . 
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Definition rulePoly_gt rule := rulePoly_ge rule - 1. 

The minus (— ) operator and the constant 1 above are overwritten notations for polyno- 
mial operations. 

Then, given a polynomial interpretation, one can define an instance of a monotone 
algebra (AMonAlg), as described in the preceding section, and use the associated tactics 
to simplify termination problems, by removing strictly decreasing rules. 

8. Example of automatically generated termination proof 

In this section, we present in extenso an example of Coq script automatically generated 
by Rainbow from some simple termination certificate. 
The rewrite system that we consider is: 

'minus{x, zero) — > x 
minus {succ{x), succ{y)) — > minus{x,y) 
quot{zero, succijj)) — > zero 
quot{succ{x) , succ{y)) — > succ{quot{minus{x,y), succ{y))) 
This system computes the quotient of two natural numbers encoded in unary notation. 
This system is not simply terminating (by taking y = succ(x), the right-hand side of the 
fourth rule can be embedded in the corresponding left-hand side). It can however be 
dealt with by a simplification ordering ( [Dershowitz fc Jouannaud, 1990D after applying 
some argument filtering ( [Arts fc Giesl, 2000D (by erasing the first argument of minus), 
another simple but very useful technique that is formalized in the module AFilter but 
that we will not explain in this paper. Hence, we do the argument filtering by hand and 
consider the resulting system instead: 

minus{zero) zero 
minus {succ{x)) succ{minus{x)) 
quot{zero, succ{y)) zero 
quot{succ{x), succ{y)) succ{quot{minus{x), succ{y))) 

and the following termination certificate (in the Rainbow format with some XML tags 
removed for the sake of simplicity; note that Rainbow also supports the CPF format used 
by many termination provers) that could be automatically generated by some termination 
prover: 
<dp> 

<decomp><graph><hde/></ graph> 
<component> 

<rules><!-- minus (succ(x) ) -> minus(x) -->... </rules> 
<manna_ness> 
<poly_int> 
<f un>zero</f un> 

<polynomial>< ! -- -->... </polynomial> 
<f un>succ</f un> 

<polynomial>< ! -- l.x_l + 2 -->... </polynomial> 
<f un>minus</fun> 
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<polynomial>< ! -- l.x_l + 1 -->... </polynomial> 
<f un>quot</f uii> 

<polynomial>< ! -- l.x_l.x_2 + l.x_l + l.x_2 -->... </polynomial> 
</poly_int> 
<trivial/> 
</maima_ness> 
</ component > 
<component> 

<rules><!-- quot (succ (x) , succ (y) ) -> minus (x) -->... </rules> 
</component> 
<component> 

<rules>< ! --quot (succ (x) , succ (y) ) -> quot (minus (x) , succ (y) ) --> . . . </rules> 
<manna_ness> 
<poly_int> 
<f un>zero</f un> 

<polynomial>< ! -- -->... </polynomial> 
<f un>succ</ f un> 

<polynomial>< ! -- l.x_l + 2 -->... </polynomial> 
<f un>minus</fun> 

<polynomial>< ! -- l.x_l + 1 -->... </polynomial> 
<f un>quot</f un> 

<polynomial>< ! -- l.x_l.x_2 + l.x_l + l.x_2 -->... </polynomial> 
</poly_int> 
<trivial/> 
</manna_ness> 
</ component > 
</decomp> 
</dp> 

This certificate proposes to prove the termination of the system by the following pro- 
cedure: 

1 apply the dependency pair transformation, 

2 decompose the resulting problem into 3 components: 

(a) eliminate all the rules of the first component that strictly decrease in the given 
polynomial interpretation, resulting in an empty set of rules (XML tag <trivial/>), 

(b) do nothing with the second component since it contains no loop in the dependency 
graph, 

(c) eliminate all the rules of the third component that strictly decrease in the given 
polynomial interpretation, resulting in an empty set of rules (XML tag <trivial/>). 

The Coq script generated by Rainbow is the following. It first defines the signature 
and the set of rules: 

Require Import (* necessary CoLoR modules *) ... 
Open Scope nat_scope. 

(* set of function symbols *) 

Module M. Inductive symb : Type := minus : symb I ... End M. 
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Definition beq_symb (f g : M.symb) : bool := 

match f, g with M. minus, M. minus => true I ... !_,_=> false end. 
Lemma beq_symb_ok : forall f g : M.symb, beq_symb f g = true <-> f = g. 

Proof. beq_symb_ok. Qed. 
Definition ar (s : M.symb) : nat := match s with M. minus => 1 I ... end 

(* signature 1 *) 
Module SI. 

Definition Sig := ASignature .mkSignature ar beq_symb_ok. 
Definition Fs : list Sig := M. zero : :M. succ : :M.quot : :M. minus : :nil . 
Lemma Fs_ok : forall f : Sig, In f Fs. Proof. list_ok. Qed. 
Definition some_symbol : Sig := M. minus. 

Lemma arity_some_symbol : arity some_symbol > 0. Proof. check_gt. Qed 
End SI. 

(* rewrite rules *) 

Definition E : ATrs. rules SI. Sig := nil. 

Definition R : ATrs. rules SI. Sig := SATrs .mkRule SI. Sig 

(@Fun SI. Sig M. minus (Vcons (OFun SI. Sig M.zero Vnil) Vnil)) 

(@Fun SI. Sig M.zero Vnil) :: ... :: nil. 
Definition rel := ATrs.red_mod E R. 

Then, it defines each parameter required in the termination proof: 

(* graph decomposition 1 *) 

Definition csl : list (list (@ATrs.rule SI. Sig)) := 
(@ATrs.mkRule SI. Sig (SFun SI. Sig M. minus 

(Vcons (OFun SI. Sig M.succ (Vcons (OVar SI. Sig 0) Vnil)) Vnil)) 
(OFun SI. Sig M. minus (Vcons (SVar SI. Sig 0) Vnil)) 
: : nil) : : ... : : nil . 

(* polynomial interpretation 1 *) 
Module PISl. 

Definition sig := SI. Sig. 
Definition trsint (f : SI. Sig) := 

match f as f return poly (SASignature . arity sig f) with 
1 M.zero => (07.Z, Vnil) :: nil I ... end. 
Lemma trslnt_wm : PolyWeakMonotone trsint . 
Proof. PolyWeakMonotone Sl.Fs Sl.Fs_ok. Qed. 
End PISl. 

Module PIl := Polyint PISl. 
(* reduction ordering 1 *) 

Module WPl := WP_MonAlg PIl .MonotoneAlgebra. 
Module WPRl. 

Include (WeakRedPairProps WPl) . 

Ltac prove_cc := PIl .prove_cc_succ_by_ref 1 Sl.Fs Sl.Fs_ok. 
Ltac prove_termin := prove_termination prove_cc. 
End WPRl. 
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(* polynomial interpretation 2 *) ... 
(* reduction ordering 2 *) ... 

Finally, it generates a short proof script for the termination theorem, each termination 
technique used in the certificate giving rise to one tactic call: 

(* termination proof *) 
Lemma termination : ¥F rel. 
Proof . 
unfold rel. 
dp_trans . 

let D := fresh "D" in set_rules_to D; 

graph_decomp Sl.Sig (hde_bool D) csl; subst D. 

hde_bool_correct . 

right . WPRl . prove_termin . 

termination_trivial . 

left. co_scc. 

right. WPR2 .prove_termin. 

termination_trivial . 

Qed. 

hde_bool is the over-approximation based on the equality of top symbols, and co_scc 
is the tactic taking care of acyclic components. 



9. Conclusion 

In this paper we presented the outline of our formalization of the theory of well-founded 
rewrite relations ( [Dershowitz fc Jouannaud, 1990[ |TeReSe, 2003^ in the proof assistant 
Coq ( |Coq Development Team, 2009^ . This includes some key notions (dependency pairs, 
dependency graph decomposition and reduction pairs) that are at the heart of modern 
state-of-the-art automated termination provers dGiesl et al, 2006[ Hirokawa & Middel- 
dorp, 2007). 

We also showed how this formalization is successfully used in the termination compe- 
tition ( [Termination Competition! ) for automatically verifying correctness of termination 
certificates g enerated by those automated termination provers (^ Certification Problem 
Format, 2010). 

We think that this work and the related approaches described in Section [5] should allow 
the safe use of external termination provers in proof assistants, and the development 
of safe proof assistants where functions and predicates can be defined by rewrite rules 
( [Dowek et ai, 2003{|Blanqui, 2005[|Walukiewicz-Chrz^szcz fc Chrz^szcz, 2008[ Boespflug, 
2010), which is one of the solutions proposed so far to increase usability of dependent 
types in proof assistants. The other, complementary, solution is the integration of certified 
decision procedures ( [Blanqui et ai, 2007| [Blanqui ai, 2008|[Strub, 2010|[St"rub, 2010[ ). 



Other termination techniques have already been formalized in CoLoR that are not de- 
scribed here: argument filtering (directory Filter) ( [Arts fc Giesl, 2000| , multiset order- 
ing (directory Util/Multiset), higher-order recursive path ordering (directory HORPO) 
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( Jouannaud & Rubio, 1999 Koprowski, 2009 Koprowski, 2008), matrix and arctic inter- 



pretations (directory Matrixint) ( Koprowski & Waldmann, 2008 Koprowski & Zantema, 



2008), semantic and root labelling ( Zantema, 1995 Sternagel fc Middeldorp, 2008[ ) (direc- 



tory SemLab), loops (directory NonTermin), subterm criterion (directory SubtermCrit) 
( [Hirokawa fc Middeldorp, 2007| ), and usable rules (directory DP) ( [Arts fc Giesl, 2000t 



IGiesl et aZ.,"2003l|Hirokawa fc Middeldorp, 2007D . 

The formalizations of the subterm criterion and usable rules are interesting since their 
classical proofs do not seem convertible into direct constructive proofs. Their formaliza- 
tion in Coq therefore requires the use of classical logic and the Axiom of Choice. It will 
then be interesting to compare it with the same development in Isabelle/HOL ( Sternagel 
fc Thiemann, 2010). 

We also started to formalize Rainbow itself in Coq in order to get an efficient standalone 
certificate checker by using Coq extraction mechanism ( [Letouzey, 2002[ ). 
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